NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Is a NAS vulnerable to Ransomware attack?
We have a small workgroup network of 10 PCs and an RN-424 serving shared data to all the PCs. All the PCs do image backups to a Share on the NAS as well as local image backups to s 2nd harddrive on e...
SandsharkI think I understand your suggestion, but as well as backup our ReadyNAS is used for PC users to access shared files, your suggestion seems to be "don't do that" ?
I have been thinking about anti-ransomware precautions along these lines:
For backups, no access to backup shares from network PC's.
For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB)
I am not a ReadyNAS expert by any means, so would welcome comments on this as a strategy.
ReadyNASinUK wrote:
For shared files, backup frequently to a different share on the NAS, which also has no access from network PC's. (Data penalty here, but user files on our NAS are only a few 100's of GB)
I'd like to repeat the suggestion on using btrfs snapshots as part of your mitigation strategy. When the malware rewrites the files (encrypting them, and optionally scrambling their names), the original files will remain in the snapshots. That is more efficient than your frequent backup idea, and also should eliminate the need to stop the backups before the encrypted files poison the backup store. It would also give you the most recent copy of the unencrypted files.
If you are new to NAS, you should probably research how btrfs snapshots work generally. They also provide some ability to roll back to older file versions in response to user errors.
Another mitigation (which I use myself) is to deploy a backup NAS that uses rsync, and doesn't have SMB or other file sharing protocols enabled at all. This NAS runs on a power schedule, so it isn't on very often. This reduces the chance of the malware reaching it (especially in the scenario where I see the problem in time to simply disconnect that NAS from my network).
Cloud backup is another potential mitigation - many do have some ability to detect malware infections, and prevent them from spreading to the cloud backups. In some cases they offer unlimited retention, which would ensure that you can get back to uncorrupted files. And you might want cloud backup for disaster recovery anyway.
Thanks for all the advice.
Looks like I need a few more TB to better utilize snapshots on our main server RN424. We do have two older NASs which we use for backup, a local NV+, and a remote RN104. Looks like I need to isolate those backups better and limit them to using rsync.
Four questions on follow-up:
1. Is there a way to expand a 4 disk XRaid to larger but only 3 disks configuration? I understand a full backup to another device, add 3 new disks, restore from backup. But that presents some risk and takes a lot of time during which the NAS is mostly offline to users. Is there another option?
2. Following Stephen's idea of backing up user PC images to a non-accessible share sounds like a good idea. I'm wondering if an attached USB or eSata drive could be used in the same way. Would it have to be formated as btrfs or could it be NTFS so the enclosure could be moved to a local PC in order to restore a backup image?
3. Can 4 disks from an RN424 be moved to an RN104 successfuly if they are both using the same, latest firmware? That would eliminate having to do a full backup.
4. Are Read-Only NAS shares protected from a Ransomware encryption attack from a hacked, local PC that has mapped drived to that share with saved credentials?
Thanks.
1. I posted a very complicated procedure for reducing the number of drives in an array. If you have sufficient Linux skills, it's here: Reducing-RAID-size-removing-drives-WITHOUT-DATA-LOSS-is-possible. That doesn't deal with multiple layers due to expansion, so I recommend reducing to 3 drives then replacing with larger ones if you go this route. Because it involves a lot of messing with MDADM and BTRFS as well as re-boots, doing it while files are being accessed is probably not a good idea. And honestly, if you have good backup, starting fresh is way better.
2. USB drives can be FAT, NTFS, or EXT (Linux native), they are never BTRFS. EXT drivers are available for Windows, but using NTFS is usually best unless the conversion of Linux permissions to NTFS don't work well for you. That allows you to access the drive directly from Windows.
3. Yes. The only limitation is installed apps. If you use any (and I suspect you don't), uninstall on the Intel system and re-install on the ARM one. Same limitation going the other way, BTW.
4. They should be, and I have no reason to doubt they are. Exception may be if that user has permission to change the share to read/write.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
